Troubleshooting Custom audispd Plugin

[Osama Elnaggar]

Hi,

I'm working on a custom audispd plugin written in Python 3.  It’s a work in
progress and I’ve successfully run it numerous times as an audispd plugin.
However, I sometimes make modifications that result in the audispd plugin
failing and I end up with the following in /var/log/syslog

Sep  6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3
terminated unexpectedly
Sep  6 20:52:05 ubuntu-hypervisor audispd: plugin /usr/bin/python3 was
restarted
...

This is repeated several times until audispd gives up and I see the
following message:

Sep  6 20:52:14 ubuntu-hypervisor audispd: plugin /usr/bin/python3 has
exceeded max_restarts

To troubleshoot, I modify my code to read from /var/log/audit/audit.log
instead.  I modify a single line (with fileinput.input() to read from
myfile as shown in the commented line below).

Here is the code snippet (a colorized easier to read version is available
here - https://pastebin.com/84Nxu3Rp):

# let us initialize the AuParser
aup = auparse.AuParser(auparse.AUSOURCE_FEED)

# we initalize the callback to be fn_process_event
aup.add_callback(fn_process_event, None, None)

myfile = "/var/log/audit/audit.log"

while True:
    try:
        # we read in line by line from stdin
        for line in fileinput.input():
        #for line in fileinput.input(myfile):
            aup.feed(line)
    except:
        logger.error("Fatal error in while loop", exc_info=True)

# we flush the feed when we quit
aup.flush_feed()

Any suggestions on how to troubleshoot these types of issues when reading
from a file works fine without issue but running it as a plugin fails as
shown in /var/log/syslog?  Thanks.

-- 
Osama Elnaggar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180907/8d9af28d/attachment.htm>